Welcome to the Exploits for November, 2000 Section. | |||
Some of these exploits are from Bugtraq | |||
To Change Sort Order, Click On A Category. | File Name | Downloads | File Size | Last Modified |
0011-exploits.tgz | 0 | 442967 | Dec 14 2000 17:53:46 |
Packet Storm new exploits for November, 2000. | |||
tessa.c | 0 | 4127 | Dec 6 2000 21:03:21 |
Remote denial of service exploit for Microsoft Exchange 5.5 SP3 Internet Mail Service and Information Store. The bug is in the handling of a line containing Content="". Homepage: http://securax.org/incubus. By Incubus | |||
oidldapd.c | 0 | 1651 | Dec 5 2000 18:13:05 |
Exploit Code for oidldapd in Oracle 8.1.6 (8ir2) for Linux. I tested in RH 6.2 and 6.1. | |||
cgiforum-1.0.txt | 0 | 767 | Dec 2 2000 21:48:21 |
CGIForum v1.0i (cgi-bin/cgiforum.pl) allows remote users to view any file on the system via a ../.. bug. By Zorgon | |||
xp-bitchx.c | 0 | 9668 | Dec 2 2000 21:26:35 |
BitchX v1.0c16 remote exploit. Tested against Redhat 6.0, 7.0, and Debian 2.2. Homepage: http://www.netsearch-ezine.com. By Raise | |||
libc-language.su.c | 0 | 13626 | Dec 2 2000 21:23:08 |
Glibc 2.1 + /bin/su local root exploit. Tested on Redhat 6.2, 6.1, and SuSE 6.2. By Doing | |||
mogrify.c | 0 | 1193 | Dec 2 2000 17:36:15 |
/usr/X11R6/bin/mogrify local buffer overflow exploit for Redhat 7.0. Homepage: http://w3.swi.hu/zucco/. By Zucco | |||
lnapster_dos.c | 0 | 2252 | Dec 2 2000 17:08:50 |
The Linux Napster Client v0.9 through v1.4.4 contains remote denial of service vulnerabilities, including a buffer overflow. Homepage: http://www.fakehalo.org. By Vade79 | |||
xrcvtty.c | 0 | 3245 | Dec 2 2000 16:23:28 |
BSDI 3.0/4.0 /usr/contrib/mh/lib/rcvtty local exploit - Gives a egid=4(tty) shell. Homepage: http://www.fakehalo.org. By Vade79 | |||
bsdi_inews.c | 0 | 1870 | Dec 2 2000 16:20:52 |
BSDI 3.0 local Inews (inn-2.2) buffer overflow exploit. Gives egid=news shell. Homepage: http://www.fakehalo.org. By Vade79 | |||
bsdi_sperl.c | 0 | 1370 | Dec 2 2000 16:19:26 |
BSDI 3.0 /usr/bin/suidperl local root exploit. Homepage: http://www.fakehalo.org. By Vade79 | |||
bsdi_inc.c | 0 | 1410 | Nov 29 2000 08:56:34 |
BSDI 3.0 /usr/contrib/mh/bin/inc local root exploit. Homepage: http://www.fakehalo.org. By Vade79 | |||
NIT_UNICODE.zip | 0 | 71136 | Nov 29 2000 00:26:21 |
Microsoft IIS Unicode remote exploit which uses tftp to obtain code to run. By Stealthmode316 | |||
SynAttackProtect.txt | 0 | 28258 | Nov 25 2000 17:56:43 |
Windows NT 4.0 SP6a with SynAttackProtect set is vulnerable to a remote denial of service attack. Homepage: http://adonis1@videotron.ca. | |||
super-sadmin.c | 0 | 13213 | Nov 25 2000 17:44:32 |
Super Solaris sadmin Exploit - works with solaris 2.6/7.0 SPARC and x86, does the sp guessing (much like sadmin-brute.c). By Optyx | |||
coolz.cpp | 0 | 4416 | Nov 21 2000 12:07:23 |
Koules v1.4 (svgalib version) local root exploit. Homepage: http://www.synnergy.net. By Scrippie | |||
analogx-4.10.dos.txt | 0 | 3674 | Nov 21 2000 12:01:33 |
Network Security Solutions Security Advisory - A denial of service vulnerability has been discovered in AnalogX proxy v4.10. POP, FTP, and SMTP are vulnerable to a buffer overflow, crashing all the proxy services. Homepage: http://www.nssolution.net. By Zerologic | |||
tetrinet-1.13.dos.tx..> | 0 | 674 | Nov 18 2000 23:18:11 |
Tetrinet v1.13 has a denial of service vulnerability which is caused by telnetting to the tetrinet port and pressing enter once, freezing the game. Homepage: http://www.m4dskill.org.Skyrim | |||
sbo_ethereal.c | 0 | 12796 | Nov 18 2000 21:12:51 |
Ethereal v0.8.13 advisory and remote exploit for Linux x86. A stack overflow in the AFS packet parsing routine allows a spoofed packet to start a root shell bound to TCP port 36864. Homepage: http://hacksware.com. By Mat | |||
wkit.joe.txt | 0 | 5306 | Nov 17 2000 08:32:19 |
Joe's Own Editor File Link Vulnerability - If a joe session with an unsaved file terminates abnormally, joe creates a rescue copy of the file being edited called DEADJOE. The creation of this rescue copy is made without checking if the file is a link. Homepage: http://www.wkit.com/advisories. By Patrik Birgersson | |||
vixie-cron.sh | 0 | 7320 | Nov 17 2000 01:16:49 |
Vixie crontab local root exploit - an insecure fopen() call in Paul Vixie's crontab code is exploitable on systems where /var/spool/cron is user readable, such as Red Hat 6.1. Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski | |||
1080r.c | 0 | 5219 | Nov 15 2000 23:53:15 |
Socks5 v1.0r10 remote buffer overflow exploit. Tested against Turbolinux 4.0.5 and Redhat 6.0. Homepage: http://members.tripod.com/~ochodedos. By The Dark Raver | |||
aim.caching.txt | 0 | 1654 | Nov 15 2000 23:31:34 |
AOL Instant Messenger contains a caching vulnerability where once you have logged onto AIM with a screenname, you can permanently login with that screenname. By F3d | |||
bsdi_elm.c | 0 | 1329 | Nov 15 2000 23:26:42 |
BSDI Elm 2.4 local buffer overflow exploit. Tested on BSDI/3.0, gives a group mail shell. Homepage: http://www.fakehalo.org. By Vade79 | |||
phx.c | 0 | 5332 | Nov 15 2000 19:59:00 |
Phf remote buffer overflow exploit for Linux x86. This is unrelated to the well known bad filter problem. By Proton | |||
deb_gnomehack.c | 0 | 2069 | Nov 15 2000 18:34:21 |
Gnomehack v1.0.5 local buffer overflow exploit which gives a egid=60 (games) shell if gnomehack is sgid (2755), tested on Debian 2.2. The same bug also affects Nethack. Homepage: http://www.fakehalo.org. By Vade79 | |||
sonata.teleconf.txt | 0 | 3136 | Nov 15 2000 18:28:34 |
Voyant Technologies Sonata Conferencing vulnerability report - Local and remote vulnerabilities have been found in both the Solaris and OS/2 hosts, including reused default passwords, poor file permissions, a lack of host hardening, account enumeration, and an insecure X console. Homepage: http://vapid.dhs.org. By Larry W. Cashdollar | |||
openssh.forwarding.t..> | 0 | 3070 | Nov 14 2000 21:58:43 |
All versions of the OpenSSH ssh client prior to 2.3.0 have a vulnerability which allows malicious OpenSSH servers to turn on port forwarding even if it is disabled in the client configuration, allowing hostile servers can access your X11 display or your ssh-agent. Newest version available here. Homepage: http://www.openssh.com. | |||
openwall.c | 0 | 4622 | Nov 14 2000 21:49:25 |
Openwall.c is a local root exploit in LBNL traceroute v1.4a5 which executes the heap instead of the stack, avoiding the openwall kernel patch. Homepage: ftp://maxx.via.ecp.fr/traceroot. By Michel MaXX Kaempf | |||
traceroot2.c | 0 | 6513 | Nov 14 2000 21:47:19 |
Traceroot2.c - Improved local root exploit in LBNL traceroute v1.4a5. Tested against Debian GNU/Linux 2.2 x86 and sparc, and Red Hat 6.2 x86. Advisory on this issue available here. Homepage: ftp://maxx.via.ecp.fr/traceroot. By Michel MaXX Kaempf | |||
local_nonexec_sun.c | 0 | 10660 | Nov 14 2000 14:19:00 |
Solaris Sparc 2.6 / 7 local root exploit against /usr/bin/passwd which uses the yet unpatched libc locale bug and bypasses non-executable stack protection. Homepage: http://www.nsfocus.com. By Warning3 | |||
bsdi_filter.c | 0 | 1472 | Nov 14 2000 14:11:32 |
BSDI /usr/contrib/bin/filter v2.* local buffer overflow exploit. Tested on BSDI 3.0, provides a shell with GID mail. Homepage: http://www.fakehalo.org. By Vade79 | |||
iXsecurity.20001107...> | 0 | 2372 | Nov 13 2000 17:13:10 |
iXsecurity Security Vulnerability Report - The default installation of Compaq Web-Based Management on a Netware server reveals sensitive system files to anyone who can access TCP port 2301. Allows remote users to read the remote console password. Software version 2.28 verified vulnerable. Compaq advisory available here. Homepage: http://www.ixsecurity.com. By Ian Vitek | |||
hpux.10.20.644.txt | 0 | 1073 | Nov 13 2000 17:04:52 |
HP/UX 10.20 allows any file on the filesystem to be chmodded 644. By J.A. Gutierrez | |||
new.phf.txt | 0 | 1087 | Nov 13 2000 17:00:53 |
An exploitable buffer overflow vulnerability has been found in phf which is unrelated to the well known bad filter problem. All versions of phf should be removed. By Proton | |||
sadmind-sun.brute.c | 0 | 7394 | Nov 13 2000 16:37:21 |
Remote exploit for rpc.sadmind which brute forces the offset. Tested against Solaris X86 and SPARC v2.6 and 7.0. By Nikolai Abromov | |||
exchange.dos.txt | 0 | 1019 | Nov 13 2000 16:29:10 |
Remote denail of service exploit for Microsoft Exchange 5.5 SP3 Internet Mail Service. A message containing charset = "" causes mail service to crash. Homepage: http://www.savelev.com. By Art Savelev | |||
guninski27.txt | 0 | 2873 | Nov 13 2000 16:07:13 |
Georgi Guninski security advisory #27 - There is a security vulnerability in IE 5.x, Outlook, and Outlook Express which allows searching for files with specific name (wildcards are allowed) or content. Combined with other local file reading vulnerabilities this allows attackers to search for and retrieve any file on a users drive. The problem is the "ixsso.query" ActiveXObject which is used to query the Indexing service and surprisingly it is marked safe for scripting. Exploit code included, demonstration available here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski | |||
cons.saver.txt | 0 | 3700 | Nov 13 2000 15:53:14 |
Many systems have the SUID bit set on cons.saver (/usr/lib/mc/bin/cons.saver), part of the Midnight Commander package. A denial of service vulnerability has been found which allows local users to overwrite a null character to any symlinkable file. Includes proof of concept exploit and a patch for cons.saver. By Z33d | |||
gbook.cgi.txt | 0 | 1303 | Nov 11 2000 19:24:45 |
GBook - A web site guestbook has a remote command execution vulnerability in gbook.cgi. Homepage: http://hacksware.com. By Mat | |||
dumpx.c | 0 | 1850 | Nov 11 2000 17:29:27 |
Dump-0.4b15-1 local root exploit tested on Redhat 6.2. By The Itch | |||
dae_sambar44.pl | 0 | 1861 | Nov 11 2000 17:19:43 |
The Sambar Server v4.4 Beta 4 for Windows 95/NT is vulnerable to a remote denial of service attack due to the con/con bug. Perl proof of concept code included. Homepage: http://www.daemon-root.da.ru. By Daemon-root | |||
uni2.pl | 0 | 4801 | Nov 10 2000 12:59:09 |
Uni2.pl checks a host for the recent IIS unicode vulnerability in 14 different ways. Also gives you the browser URL for the exploit. Origionally Stealthmode316, modifications by Roeland. | |||
omnisux.pl | 0 | 1049 | Nov 9 2000 15:20:12 |
The OmniHTTPd web server v2.06 and below contains a remote denial of service vulnerability in /cgi-bin/visadmin.exe. By Philer | |||
iis-unicode-exploit...> | 0 | 4305 | Nov 9 2000 00:22:12 |
IIS Unicode remote exploit - Executes commands remotely on IIS 4.0 on NT and IIS 5.0 on Windows NT and 2000. Homepage: http://teleh0r.cjb.net. By Telehor | |||
pollit-2.0-exploit.p..> | 0 | 2545 | Nov 9 2000 00:19:37 |
Poll It v2.0 CGI exploit which binds a shell to tcp port 60179. By Telehor | |||
quakeworldex.txt | 0 | 2155 | Nov 6 2000 20:48:34 |
Quake World server for Unix v2.30 contains a buffer overflow in the rcon featurE which causes the server to crash with a segmentation fault. Proof of concept exploit included. Homepage: http://www.Hack-X.org. By Chandler | |||
exgsx.c | 0 | 1285 | Nov 6 2000 20:44:51 |
Gsx-0.90d and below contains a remote denial of service vulnerability which allows remote users to crash the GTK scour client by creating many connections. Homepage: http://www.Hack-X.org. By Chandler | |||
uni.pl | 0 | 4048 | Nov 5 2000 15:24:09 |
Uni.pl checks a host for the recent IIS unicode vulnerability in 14 different ways. By Stealthmode316 | |||
scx-sa-08.txt | 0 | 3068 | Nov 5 2000 15:19:00 |
Securax Security Advisory #8 - IIS 4.0 contains a denial of service vulnerability which is similar to the unicode vulnerability. This can be fixed by installing the recent unicode patches. Homepage: http://securax.org. By Zoa_Chien | |||
pollex.pl | 0 | 4693 | Nov 5 2000 12:54:19 |
Poll It CGI v2.0 contains remote vulnerabilities which allow remote command execution and reading any file on the webserver. Fix available here. By Keelis | |||
IISHack1.5.zip | 0 | 24117 | Nov 4 2000 23:49:32 |
IISHack 1.5 attempts to remotely exploit a local buffer overflow in the IIS 4.0 and 5.0 .asp file parsing mechanism using the unicode bug, resulting in remote system access. Homepage: http://www.eEye.com. By eEye Digital Security | |||
hp-ux.cu.overflow.tx..> | 0 | 693 | Nov 4 2000 16:21:24 |
HP-UX vB.11.00 comes with /bin/cu SUID bin, which has a buffer overflow in the -l switch. By Zorgon | |||
kde-exploit.gif | 0 | 245580 | Nov 4 2000 16:19:09 |
KDE File Manager can be tricked into executing commands as root by creating a HTML file with a link to a binary. By Dotslash | |||
mandrake.urpmi.txt | 0 | 2628 | Nov 4 2000 16:10:19 |
Mandrake 7.1's /usr/bin/urpmi allows attackers to install RPM's as root if they have an account in the urpmi group and possibly physical access. By Dotslash | |||
xrestore.c | 0 | 2300 | Nov 3 2000 18:43:54 |
Restore (/sbin/restore) v0.4b15 local root exploit. Tested against Redhat 6.2. Homepage: http://www.fakehalo.org. By Vade79 | |||
dump-exp.sh | 0 | 1405 | Nov 2 2000 01:31:25 |
Dump v0.4b15 for Linux on Redhat and others contains a trivial local root vulnerability. By Fish | |||
dump.sh | 0 | 1903 | Nov 2 2000 01:30:54 |
Dump v0.4b15 and below for Linux contains a trivial local root vulnerability. Includes proof of concept exploit tested on Redhat 6.2. By Mat | |||